vim /etc/etter.conf
# if you use iptables:
redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
nmap -sP 10.0.0.0/24
ettercap -Tq -i eth0 -M arp /10.0.0.4/ //
Ettercap:
Ettercap is a tool for network protocol analysis and security auditing. It has the ability to intercept traffic on a network, capture passwords, and conduct active eavesdropping against common protocols.
For this exercise I will be using ARP Poisoning to sniff the LAN for passwords that use SSL (Hotmail, Gmail, Etc.)
ARP :
“Address Resolution Protocol”: As defined by Wikipedia: ARP is a computer networking protocol for determining a network host's link layer or hardware address when only its Internet Layer (IP) or Network Layer address is known. This function is critical in local area networking as well as for routing internetworking traffic across gateways (routers) based on IP addresses when the next-hop router must be determined.
So in normal terms ARP is the way that we get a MAC address of a Host or Node from the IP address.
ARP Spoofing:
This is the technique we will use to attack a wired or a wireless network. ARP Spoofing allows the attacker to sniff data frames from the LAN, then gives you the ability to modify the traffic (good for redirecting to your own computer to download an exploit to victim), or stop the traffic from entering the network, or a specific computer (good for local DOS Attacks on a Local Area Network).
The idea behind the attack is to send a fake (AKA “Spoofed”) ARP message to the LAN. Any traffic on the network meant for that IP address that you attacked (whole network if you want) will be sent to the attacker. The attacker (you) can choose to forward the traffic to the actual gateway (Passive Sniffing) or modify the data before forwarding it (Man in the Middle).
How we will do it for this exercise:
Edit a file:
We first have to edit one file (Don't worry, we just have to delete two # signs to “uncomment” them).
The file we will be editing is called etter.conf and it can be found under the etc folder. (Full Path = /etc/etter.conf)
We need to change the part under the “redir_command_on/off” section. It is under the Linux sub heading.
MAKE SURE YOU ONLY UNCOMMENT THE TWO LINES UNDER “if you use iptables” NOTICE: IPTABLES, Not Chains.
The Linux subsection will look like this when done:
Code:
#---------------
# Linux
#---------------
# if you use ipchains:
#redir_command_on = "ipchains -A input -i %iface -p tcp -s 0/0 -d 0/0 %port -j REDIRECT %rport"
#redir_command_off = "ipchains -D input -i %iface -p tcp -s 0/0 -d 0/0 %port -j REDIRECT %rport"
# if you use iptables:
redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
Notice how there are no Pound (#) signs in front of the last two lines.
Run Ettercap:
Now we can start Ettercap-GTK (This is a pretty version of the shell program, it gives us a nice GUI to play with). Ettercap-GTK can be found under: Menu -> Backtrack -> Privilege Escalation -> Spoofing -> Ettercap-GTK
Setting up Sniffing:
Sniff -> Unified Sniffing
Eth0 -> OK ………………………..(This runs Sniffing on your first Ethernet card)
Hosts -> Scan for hosts ………… (Scans the network for targets)
Hosts -> Hosts List ………………….(Opens your hosts list
Now, you have all the computers on the network on the host list. If you want to only scan one computer (its better and quicker for us to just do the one) then click on the default gateway first, and click the target 1 button.
After you do the default gateway, then click your computer you are attacking and make it “Target 2” by selecting it and clicking the “target 2” button.
After setting up the sniffing:
Mitm -> ARP poisoning -> Select “Sniff remote connections” Hit OK
Start -> Start Sniffing
Your done! Now you are sniffing the computer for passwords onto certain websites that use SSL for their security. When you are done go to: Start -> Stop Sniffing, and then go to Mitm -> Stop mitm attack(s)
Problems:
When you run this, the SSL certificates on some websites will not be valid, so the user has to constantly hit yes for the attack to run successfully. For most users this won't be a problem seeing as how they “Trust” the site usually and will hit yes.
附Ettercap使用说明
ettercap NG-0.7.3 copyright 2001-2004 ALoR & NaGA
Usage: ettercap [OPTIONS] [TARGET1] [TARGET2]
TARGET is in the format MAC/IPs/PORTs (see the man for further detail)
Sniffing and Attack options:
-M, --mitm <METHOD:ARGS> perform a mitm attack
-o, --only-mitm don't sniff, only perform the mitm attack
-B, --bridge <IFACE> use bridged sniff (needs 2 ifaces)
-p, --nopromisc do not put the iface in promisc mode
-u, --unoffensive do not forward packets
-r, --read <file> read data from pcapfile <file>
-f, --pcapfilter <string> set the pcap filter <string>
-R, --reversed use reversed TARGET matching
-t, --proto <proto> sniff only this proto (default is all)
User Interface Type:
-T, --text use text only GUI
-q, --quiet do not display packet contents
-s, --script <CMD> issue these commands to the GUI
-C, --curses use curses GUI
-G, --gtk use GTK+ GUI
-D, --daemon daemonize ettercap (no GUI)
Logging options:
-w, --write <file> write sniffed data to pcapfile <file>
-L, --log <logfile> log all the traffic to this <logfile>
-l, --log-info <logfile> log only passive infos to this <logfile>
-m, --log-msg <logfile> log all the messages to this <logfile>
-c, --compress use gzip compression on log files
Visualization options:
-d, --dns resolves ip addresses into hostnames
-V, --visual <format> set the visualization format
-e, --regex <regex> visualize only packets matching this regex
-E, --ext-headers print extended header for every pck
-Q, --superquiet do not display user and password
General options:
-i, --iface <iface> use this network interface
-I, --iflist show all the network interfaces
-n, --netmask <netmask> force this <netmask> on iface
-P, --plugin <plugin> launch this <plugin>
-F, --filter <file> load the filter <file> (content filter)
-z, --silent do not perform the initial ARP scan
-j, --load-hosts <file> load the hosts list from <file>
-k, --save-hosts <file> save the hosts list to <file>
-W, --wep-key <wkey> use this wep key to decrypt wifi packets
-a, --config <config> use the alterative config file <config>
Standard options:
-U, --update updates the databases from ettercap website
-v, --version prints the version and exit
-h, --help this help screen
1290
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
